b'         U.S. Department of Energy\n         Office of Inspector General\n         Office of Audits and Inspections\n\n\n\n\nSpecial Report\n\nThe Department of Energy\'s July\n2013 Cyber Security Breach\n\n\n\n\nDOE/IG-0900                    December 2013\n\x0c                                 Department of Energy\n                                   Washington, DC 20585\n\n                                       December 6, 2013\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Special Review of the "Department of Energy\'s July\n                         2013 Cyber Security Breach"\n\nBACKGROUND\n\nTo facilitate its administrative and operational needs, the Department of Energy maintains a\nsubstantial amount of personally identifiable information (PII). The Department\'s Management\nInformation System (MIS) provides a gateway for users to access a system known as the DOE\nEmployee Data Repository (DOEInfo) database. That system was implemented in 1994, and\nover time has become the central repository for information on the Department\'s current and\nformer employees, dependents and contractors. Among other data elements, information stored\nin DOEInfo included name, address, Social Security number, date and place of birth, and\nbanking information. In addition, Homeland Security Presidential Directive 12 badge and\nposition sensitivity information, as well as security questions and answers necessary to request\nusername and password resets, were stored in the database.\n\nOver the past several years, MIS has been involved in no less than three cyber security breaches.\nAccording to Department officials, neither of the first two incidents, one in May 2011, and the\nsecond in January 2012, appeared to result in the loss of personal information. In July 2013,\nhowever, hackers exploited a software vulnerability to gain access to MIS and exfiltrated\npersonal information from DOEInfo.\n\nBecause of the importance of ensuring the security of the Department\'s systems and sensitive\ninformation and at the request of the Chief Information Officer, we commenced a special review\ninto the circumstances surrounding the MIS/DOEInfo breach. During our review, we conducted\nmore than 35 interviews with Federal officials and contractor personnel from most of the\nDepartment\'s programs and staff offices. We also reviewed supporting information pertinent to\nMIS and DOEInfo and the events surrounding the breach.\n\nRESULTS OF REVIEW\n\nIn spite of a number of early warning signs that certain personnel-related information systems\nwere at risk, the Department had not taken action necessary to protect the PII of a large number\nof its past and present employees, their dependents and many contractors. We concluded that the\nJuly 2013 incident resulted in the exfiltration of a variety of PII on over 104,000 individuals.\n\x0c                                                 2\n\n\nOur review identified a number of technical and management issues that contributed to an\nenvironment in which this breach was possible. Compliance and technical problems included:\n\n   \xe2\x80\xa2   The frequent use of complete Social Security numbers as identifiers, a practice contrary\n       to Federal guidance. While not a direct contributor to the July 2013 breach, officials also\n       failed to encrypt PII stored on the breached system, a practice that ignored a key industry\n       and Federal best practice.\n\n   \xe2\x80\xa2   Permitting direct internet access to a highly sensitive system without adequate security\n       controls. Interestingly, routine internet access to e-mail required greater security than did\n       access to the vast amounts of PII contained in DOEInfo.\n\n   \xe2\x80\xa2   Lack of assurance that required security planning and testing activities were conducted.\n       In particular, we determined that MIS and DOEInfo had not been securely integrated with\n       one another. The Office of the Chief Information Officer (OCIO) also had not performed\n       the required system certification testing or provided MIS an authorization to operate.\n\n   \xe2\x80\xa2   Permitting systems to operate even though they were known to have critical and/or high-\n       risk security vulnerabilities. The Department had not taken appropriate action to\n       remediate known vulnerabilities on its systems either through patching, system\n       enhancements or upgrades.\n\n   \xe2\x80\xa2   Failure to assign the appropriate level of urgency to replacing end-of-life systems.\n       Although core support for the version of the compromised application upon which MIS\n       was built ended in July 2012, the Department did not purchase updated software until\n       March 2013 \xe2\x80\x93 8 months after support for the outdated application ended.\n\nWe also identified numerous contributing factors related to inadequate management processes.\nThese issues created an environment in which the cyber security weaknesses we observed could\ngo undetected and/or uncorrected. Specifically, we discovered:\n\n   \xe2\x80\xa2   Competing priorities between mission-related work and cyber security that resulted in\n       continued operation of systems even though they were known to have high-risk\n       vulnerabilities. In that respect, officials told us that they lacked the authority to impose\n       restrictions on system operation or take other corrective measures when known security\n       vulnerabilities were not addressed. We could not determine with certainty whether the\n       lack of authority, in all instances, was real or only perceived.\n\n   \xe2\x80\xa2   Unclear lines of responsibility between and within program and staff offices. As it\n       related to the July 2013 breach, officials from the Office of the Chief Financial Officer\n       (OCFO) told us that they believed that the OCIO was responsible for patching\n       vulnerabilities in the breached system. However, OCIO officials told us just the opposite,\n       that the OCFO was responsible for that task.\n\n   \xe2\x80\xa2   Lack of awareness by responsible officials regarding complete operating environment for\n       the vulnerable database. We learned that since its deployment in 1994, over 30 separate\n\x0c                                                3\n\n\n       systems had become attached to DOEInfo. At least two of the interconnected systems\n       were no longer being used, one of which had non-sensitive data taken from it during the\n       breach.\n\n   \xe2\x80\xa2   Ineffective communications and coordination among responsible officials. OCIO\n       officials told us that various system owners they supported prohibited them from making\n       security updates to applications in a timely manner because doing so would make it\n       harder for employees to do their work. Conversely, program officials indicated that they\n       directed security related issues to the OCIO and never received responses. We found that\n       communication issues within the OCIO likely contributed to the recent breach.\n       Specifically, system anomalies discovered by an application developer and reported to\n       the OCIO prior to the breach were not fully investigated prior to being corrected. In this\n       case, we question the thoroughness of Department\'s analysis of the reported anomalies.\n\nWhile we did not identify a single point of failure that led to the MIS/DOEInfo breach, the\ncombination of the technical and managerial problems we observed set the stage for individuals\nwith malicious intent to access the system with what appeared to be relative ease. The attackers\nin this case were able to use exploits commonly available on the internet to gain unfettered\naccess to the relevant systems and exfiltrate large amounts of data \xe2\x80\x93 information that could be\nused to damage the financial and personal interests of many individuals. As noted, in many past\nOffice of Inspector General Evaluation Reports completed pursuant to the Federal Information\nSecurity Management Act of 2002, weaknesses identical to those exploited in this case hold the\npotential for significant harm to the Department.\n\nWe also found that the extent of PII stolen was much more extensive than that originally reported\nby the Department. Alarmingly, we noted as many as 150,000 unique 9-digit records (possible\nSocial Security numbers) in the forensic data gathered after the event. In response to our\nanalysis and briefing to the Deputy Secretary in September 2013, the Department\'s Chief\nInformation Officer and Acting Chief Financial Officer stated that they believed many of the\nrecords included in the forensic data represented false positives, but estimated the number of\nindividuals impacted to be over 104,000. Breached information also exceeded just the names,\ndates of birth and Social Security numbers initially reported by the Department. In particular,\nthe forensic data we analyzed also revealed that select bank account numbers, places of birth,\neducation, security questions and answers, and disabilities were also included in the loss of\ninformation. Department officials told us that they examined the evidence we provided,\nvalidated it, and were in the process of notifying all impacted individuals that their PII had been\ncompromised.\n\n                                 Financial and Program Impacts\n\nIn addition to the obvious risk to individuals whose PII was exposed, the financial consequences\nto the Department to recover from this breach of data security will be substantial. The OCIO\nnoted that, as of October 2013, the Department estimated it would spend approximately\n$1.6 million for credit monitoring and labor costs associated with establishing a call center\nthrough which affected individuals could obtain additional information on the breach. We noted\nthat additional costs may be necessary to support continued call center operations. In addition,\n\x0c                                                 4\n\n\nthe Department had incurred significant costs associated with the recovery and lost productivity\n\xe2\x80\x93 funds that could have been better spent supporting the Department\'s core missions. In\nparticular, in October 2013, the Secretary authorized the use of up to 4 hours of administrative\nleave to all affected Federal employees to take action to correct issues associated with the event,\nan action we estimate could cost the Department an additional $2.1 million in lost productivity.\n\nMorale and reputational issues associated with the breach also have an adverse impact upon the\nDepartment. According to officials we spoke with, various employees received notification that\ntheir PII had been compromised in both this and an earlier unrelated breach and noted that\nemployee complaints demonstrated a loss of confidence in Departmental cyber security. For\nthose reasons, we believe that the Department needs to redouble its effort to improve its\nrelationships with the affected individuals to ensure that notifications are made as quickly as\npossible.\n\n                                           Path Forward\n\nWithout improvements to the Department\'s information technology and management control\nenvironment in areas such as the use of Social Security numbers, internet accessibility,\nvulnerability management and continuous monitoring, the Department\'s systems containing\nsensitive information, including PII, remain at a higher than necessary risk of unauthorized\ndisclosure. The Department moved to secure the compromised system subsequent to the\nJuly 2013 breach. However, we noted that it had identified other high-risk systems that could\nalso be at risk of future compromise. These applications contain PII and protected health\ninformation, the loss of which could affect public safety and health.\n\nThe Department can begin to rebuild trust by revamping its Headquarters\' cyber security\nprogram and control environment, enhancing communications and coordination in a number of\nareas related to cyber security and safeguarding PII, and moving away from the "stove piping"\napproach to managing information systems and data. To help address these issues, we made a\nseries of recommendations designed to improve security over PII maintained by the Department.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s recommendations and indicated that it had taken and/or\ninitiated corrective actions. Management\'s comments and our response are summarized and\nmore fully discussed in the body of the report. Management\'s formal comments are included in\nAppendix 4.\n\nAttachment\n\ncc:   Deputy Secretary\n      Acting Under Secretary for Nuclear Security\n      Acting Under Secretary for Management and Performance\n      Acting Under Secretary for Science and Energy\n      Chief of Staff\n      Chief Information Officer\n      Acting Chief Financial Officer\n      Chief Health, Safety and Security Office\n\x0cSPECIAL REPORT ON THE DEPARTMENT OF ENERGY\'S JULY 2013\nCYBER SECURITY BREACH\n\n\nTABLE OF\nCONTENTS\n\nTechnical Issues Contributing to the Cyber Security Breach\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations ............................................................................................................................9\n\nManagement Reaction and Auditor Comments .............................................................................10\n\nAppendices\n\n1. Timeline of Events Surrounding the Management Information System Security Breach.......11\n\n2. Objective, Scope and Methodology .........................................................................................12\n\n3. Prior Reports ............................................................................................................................13\n\n4. Management Comments ..........................................................................................................15\n\x0cTHE DEPARTMENT OF ENERGY\'S JULY 2013 CYBER SECURITY\nBREACH\n\nTechnical Issues Contributing to the Cyber Security Breach\n\nThe Department of Energy (Department) assessed the Management Information System (MIS)\nand DOE Employee Data Repository (DOEInfo) database as moderate-risk systems according to\nthe criteria set forth in Federal Information Processing Standard 199 established by the National\nInstitute of Standards and Technology (NIST). The risk rating is used to determine the effect to\nthe agency should the system\'s confidentiality, integrity or availability be compromised.\nAlthough NIST required certain controls to be implemented to protect the systems, our review\nfound that a number of these controls had not been implemented or processes were not in place\nto ensure that controls were operating effectively.\n\n                          Use of Unencrypted Social Security Numbers\n\nThe Department inappropriately utilized Social Security numbers as an identifier in DOEInfo\ndespite an Office of Management and Budget requirement that the use of Social Security\nnumbers be eliminated to the extent possible by November 2008. Officials told us that the\nprotection of personally identifiable information (PII) in several of the Department\'s systems had\nbeen considered as part of its response to the Office of Management and Budget requirement.\nThe officials indicated, however, that DOEInfo was not one of those systems considered even\nthough it was the Department\'s primary repository for storing PII. In addition, the database had\nnot been constructed in a manner in which Social Security numbers were restricted to a\nminimum number of tables or otherwise obfuscated in the system. In particular, we noted that\n354 of the 543 (65 percent) tables exfiltrated from the database contained Social Security\nnumbers. Officials informed us that, since 2006, almost 70 tables had been added to the database\nusing an identifier other than an individual\'s Social Security number. However, no efforts had\nbeen undertaken to eliminate the unnecessary use of Social Security numbers in the existing\nDOEInfo database tables even though the requirement to do so was over 5 years old. In\npreliminary comments on our report, the Office of the Chief Financial Officer (OCFO) stated\nthat it had initiated actions following the July 2013 breach to reduce the number of Social\nSecurity numbers in the database, resulting in the removal of a number of tables.\n\nEven though Social Security numbers were used, the sensitive data maintained in the DOEInfo\ndatabase was generally not encrypted. Specifically, our analysis identified that none of the 354\ntables containing Social Security numbers had encryption enabled. The encryption of data at rest\nis an industry best practice, which NIST noted should be considered as part of a defense-in-depth\nstrategy to maintain the confidentiality and integrity of information. Although we recognize that\nencrypting data at rest may result in some performance issues, given the sensitivity of the\ninformation, we believe that encryption technologies should have been considered. We\npreviously identified issues related to encrypting data at rest at various programs and sites in our\nreport on Protection of the Department of Energy\'s Unclassified Sensitive Electronic Information\n(DOE/IG-0818, August 2009). In preliminary comments on our report, OCFO officials noted\nthat encryption would not have protected the data in DOEInfo from the type of attack that\noccurred in July 2013. While this may be true, we continue to believe that encryption within the\nsystem could protect the Department\'s PII from a number of other types of attacks and is a\nworthwhile control implemented by other industry organizations.\n\n\nPage 1                                                                          Details of Finding\n\x0c                                      Internet Accessibility\n\nAccess to the information within the DOEInfo database through the MIS gateway did not require\nthe use of enhanced authentication mechanisms, such as two-factor authentication or a virtual\nprivate network. The use of two-factor authentication would have required a valid user to\nprovide two means of identity proofing \xe2\x80\x93 such as a password, token or biometric signature \xe2\x80\x93\nprior to accessing the system from the internet. Instead, only a user name and password were\nrequired to access MIS from any location with an internet connection. While we understand the\nneed for individuals outside the Department\'s internal network to access certain information in\nDOEInfo, following a breach of MIS in January 2012, the OCFO\'s Director of Corporate\nInformation Systems expressed concern that the system was directly accessible from the internet\nto various officials within the Office of the Chief Information Officer (OCIO), including the\nChief Operating Officer, Chief Architect and former Chief Information Security Officer. In\naddition, during our review, OCIO and OCFO officials questioned why two-factor authentication\nhad not been considered for MIS. We noted that, despite the concerns that had been raised,\nremoval of MIS from the internet had not been given sufficient consideration.\n\n                                  Security Planning and Testing\n\nWe identified weaknesses related to system security planning and testing for both MIS and\nDOEInfo. For example, we noted that MIS and DOEInfo had not been securely integrated with\none another. Specifically, the systems were owned by two different groups within the\nDepartment \xe2\x80\x93 the OCIO and OCFO respectively \xe2\x80\x93 and thus not included within the same\nauthority to operate. While NIST noted that such an approach can provide a more targeted\napplication of security controls within each system, we found that the Department\'s treatment did\nnot relieve it of the responsibility to ensure that MIS and DOEInfo were integrated in a secure\nand functional manner. In addition, our review noted that, despite having been operable for\nalmost 10 years, no security planning documentation had been completed for MIS. In particular,\na security plan that provided details as to how required controls were implemented and/or\ninherited from other systems or the underlying infrastructure had been drafted in February 2013,\nbut had not been finalized at the time of our review.\n\nDespite being operational since 2004, the OCIO had not performed the required system\ncertification testing or provided MIS an authorization to operate. As such, the system had been\nin operation for nearly 10 years without a thorough review of its security controls, including\nmany of the controls that we determined were deficient, and the risks of operating the system in\nits untested state had not been identified. Although there was a significant gap in security,\nconsideration had not been given to removing the system from the operating environment until\nsuch a time that controls were tested and risks appropriately addressed. As required by NIST,\nsoftware applications such as MIS should be included in the risk management process because\napplication security is critical to the overall security of the system. In January 2013, the OCIO\nacknowledged ownership of MIS and began efforts to appropriately authorize it for operation.\n\nHowever, those efforts had not been completed at the time of the breach and remained\nincomplete at the time of our review. We also noted that MIS continued to operate on the\nDepartment\'s internal network even though security testing recently completed (testing report\ndated August 2013) by the OCIO identified nearly 80 required controls that were not fully\n\nPage 2                                                                         Details of Finding\n\x0cimplemented. Documentation provided by program officials did not include support for\nmitigating controls to address these weaknesses and recommended that an authority to operate\nnot be approved. At the time our report was issued, OCIO officials had not rendered a decision\nregarding authority for system operation.\n\n                     Vulnerability Management and Continuous Monitoring\n\nWe found that the Department had not taken appropriate action to remediate known\nvulnerabilities in its systems either through patches, system enhancements or upgrades. Critical\nsecurity vulnerabilities in certain software supporting the MIS application had not been patched\nor otherwise hardened for a number of years. Specifically, an operating system utility and a\nthird-party development application that were installed on the MIS server had not been updated\nsince early 2011. In addition, the vulnerability exploited by the attacker was specifically\nidentified by the vendor in January 2013. As a system within the Headquarters environment, the\nOCIO was responsible for maintaining and patching the underlying infrastructure and the\noperating system on which MIS and DOEInfo operated. Further, although an upgrade for the\napplication upon which MIS was built had been purchased jointly by the OCIO and OCFO in\nMarch 2013, it was not installed until after the breach occurred. The upgrade had been in the test\nenvironment since June 2013, but officials commented that it had not been applied to the\noperating environment because of functionality issues with an interconnected system. For the\npast 9 years, the Department\'s ongoing struggles with vulnerability management have been noted\nin our annual reports on the Department\'s unclassified cyber security program issued in\naccordance with the Federal Information Security Management Act of 2002.\n\nThe vulnerability management weaknesses identified above occurred because the OCIO had not\nimplemented a robust continuous monitoring process over the operating environment that could\nhave permitted identification and remediation of vulnerabilities in a timely manner. Although\nsome level of scanning was conducted on the MIS system, it did not fully identify the\nvulnerabilities related to the compromised web application. Specifically, scans of MIS\nconducted by the OCIO in March and April 2013 identified the application installed on the\nserver and several associated vulnerabilities, but action was never taken to mitigate the\ndiscovered problems. In addition, we noted that a more robust scanning capability, including the\nuse of authenticated scanning, would have identified additional application-specific\nvulnerabilities within MIS. However, officials with the OCIO\'s Energy Information Technology\nServices group informed us that authenticated scanning had been attempted on MIS but failed for\na variety of technical reasons. The Department\'s Office of Health, Safety and Security officials\ntold us that they had been asked to complete an authenticated scan of the MIS and DOEInfo\nsystems in support of the ongoing MIS certification process, but that the OCFO had indicated\nthat DOEInfo did not need to be included in this effort.\n\nBased on the results of our review, we continue to believe that such scanning, if performed\nsimultaneously on both systems, could have made system owners in both the OCIO and OCFO\naware of the level of vulnerabilities present on MIS and the potential effect of those on the\ninformation in DOEInfo. In preliminary comments to our report, OCFO officials indicated that\nscanning of both systems had been scheduled but not yet performed. As noted by NIST,\nagencies should establish effective continuous monitoring programs that include configuration\nmanagement and control processes and assessments of security controls within and inherited by\n\nPage 3                                                                        Details of Finding\n\x0ceach system. NIST also explained that justifications for not implementing patches should be\ndocumented, communicated and approved by appropriate management and warned that the risk\nof delaying remediation must be weighed carefully, considering the threat level, risk of\ncompromise and consequences of compromise.\n\n                                     Lifecycle Management\n\nThe Department did not assign the appropriate level of urgency to replacing end-of-life systems.\nSpecifically, core support for the version of the compromised application upon which MIS was\nbuilt ended in July 2012, and the Department failed to purchase the extended support that would\nhave provided limited coverage through July 2014. Although efforts were underway at the time\nof the breach to upgrade to a newer version of the application, the efforts had been slowed by\ntechnical difficulties with an interconnected application. During our research, we noted that\nsince the time the application had been installed for MIS, an updated version of the same\napplication had been introduced and withdrawn from the market and was now nearing the end of\nits core support period. Officials from the OCFO stated that a decision to upgrade the system\nhad not been made until December 2012, because it had not reached the end of its useful life\neven though it was two iterations behind the current version. While we acknowledge the need to\nensure responsible use of taxpayer funds, we question the decision not to upgrade to a less\nvulnerable version of the application sooner or give adequate consideration to how susceptible\nthe system was to being breached and the criticality of information it contained.\n\nIn preliminary comments on our report, OCFO officials noted that the end-of-life for the\ncompromised application was July 2014. However, our review determined that the software\'s\ncore support period expired in July 2012, and an OCFO official confirmed that the extended\nsupport option had not been purchased. Under a risk-based approach to cyber security, we\nbelieve the Department should have considered the risks associated with continuing to operate an\ninternet accessible system granting access to a large database of PII on an unsupported platform.\nFurther, we believe that the Department should have considered costs associated with mitigating\na system breach when considering the timing of lifecycle management activities for such\nsystems. We noted the Department procured the updated version in March 2013 for\napproximately $4,200. That amount coupled with labor costs associated with testing and\ninstalling the upgrade were significantly less than the cost to mitigate the affected system, notify\naffected individuals of the compromise of PII and rebuild the Department\'s reputation.\n\nContributing Factors to the System Breach and Subsequent Loss of PII\n\nWe identified a number of contributing factors that created an environment that permitted cyber\nsecurity weaknesses to go undetected and/or uncorrected. In particular, we determined that\nissues related to competing priorities, unclear lines of responsibility, lack of urgency and\nawareness over cyber security, inadequate authority of the OCIO over Federal systems at\nHeadquarters, and ineffective communication and cooperation among programs contributed to\nthe MIS/DOEInfo security breach.\n\n\n\n\nPage 4                                                                          Details of Finding\n\x0c                                        Competing Priorities\n\nCompeting priorities within and between the Department\'s programs frequently resulted in\ndecisions being made that increased the risk of intrusion to the Department\'s systems. For\nexample, although the OCIO had requested permission from the OCFO to perform authenticated\nscans of DOEInfo, officials from the OCFO\'s Office of Corporate Information Systems\ncommented that they had concerns related to degraded performance and what they believed to be\nunnecessary system access. This precluded testing from occurring in a timely manner and\noutweighed the necessity to review the system to ensure that sensitive data, including PII, was\nproperly secure. In preliminary comments on our report, OCFO officials informed us that an\nalternative testing process had been suggested. However, this testing still had not been\ncompleted by the OCIO at the conclusion of our fieldwork, nearly 3 months after MIS was\nplaced back into operation following the breach. In addition, we noted that competing priorities\nmay have impacted the Department\'s ability to complete the MIS upgrade in a timely manner.\nFor example, the upgrade was significantly delayed by functionality issues between MIS and an\nunderlying application. Because of this, MIS was allowed to operate in a vulnerable state until it\nwas ultimately removed from the network following the breach.\n\nWe also determined that the Department did not act with sufficient urgency when determining\nhow many individuals were impacted by the breach and notifying them accordingly.\nSpecifically, the Department\'s Chief Information Officer was also the Senior Agency Official for\nPrivacy, which may have hindered the response to the security breach. For example, employees\nwithin the OCIO were forced to balance the need to respond to and recover from the incident\nwith the need to analyze forensic data so affected individuals could be identified and notified in a\ntimely manner. We were told by OCIO officials that the organization responsible for incident\nresponse and recovery had also provided initial forensic information to the OCFO for analysis\nand identification of affected individuals. However, at some point, the decision was made by a\nsenior OCIO official to focus solely on incident recovery and perform no additional work on\nproviding information to the OCFO for analysis. As a result, conflicting priorities may have\nresulted in a less than fully effective and timely response in notifying individuals impacted by\nthe breach. In response to our ongoing criminal investigation, the Department initiated\nadditional efforts at our request to ensure that all affected individuals were identified. As a result\nof the Office of Inspector General\'s efforts, the Department identified more than 50,000\nadditional individuals impacted by the security breach but had not completed notifications to the\naffected individuals at the time of our review.\n\n                                      Lines of Responsibility\n\nIssues related to vulnerability management and security testing were exacerbated by blurred lines\nof responsibility for application patching and maintenance of MIS. In particular, even though the\nsystem had been in operation for many years, there was apparent confusion as to which\norganization was responsible for ensuring that proper security was maintained. Although the\nOCIO had recently acknowledged ownership of MIS and began the security authorization\nprocess, it had not fully accepted all of its responsibilities for the system, such as patch\nmanagement. To that end, we noted that the specific organizational responsibilities of shared\nsupport staff had not been documented \xe2\x80\x93 leading to the confusion we observed regarding work\nperformed. We believe such actions created an atmosphere in which both the OCIO and OCFO\n\nPage 5                                                                           Details of Finding\n\x0cperceived the other was responsible for addressing system vulnerabilities, with no action being\ntaken by either organization. To its credit, prior to the issuance of our report, the OCIO took\naction to identify and document the system-level responsibilities of support staff shared with the\nOCFO.\n\nWe also found that the Memorandum of Understanding used for systems hosted by the OCIO\nwas in a standard format and was not tailored to each system for which it was executed. OCIO\nofficials told us that they provided server maintenance and operating system patching, while\nsystem owners, such as the OCFO, were responsible for patching any applications that were\ninstalled on the servers. However, many program officials told us that they were unsure where\ntheir responsibilities began for systems hosted by the OCIO. We also noted that the\nMemorandum of Understanding did not include any corrective measures that could be taken by\neither party for noncompliance with the requirements of the document. Such alternatives could\nhave allowed the OCIO to block or remove unpatched or otherwise insecure systems, such as\nMIS, from the network until they were properly secured. In preliminary comments to our report,\nOCFO officials noted that such actions did not apply to MIS because it was an OCIO system.\nHowever, we noted that following the breach the OCFO rebuilt the system and approached the\nOCIO to obtain agreement to return it to the operating environment. The OCIO concurred with\nthe understanding that the system be placed on the Department\'s internal network. We believe\nthat such actions contributed to the confusion we observed surrounding the responsibilities for\nMIS.\n\n                                     Urgency and Awareness\n\nWe determined that a lack of urgency regarding cyber security may have contributed to the\nMIS/DOEInfo security breach. For example, in December 2012, the MIS system was identified\nby the OCFO\'s Office of Corporate Information Systems as having numerous vulnerabilities and\nwas in need of an upgrade to a newer more secure version. However, the OCFO and OCIO did\nnot ensure the existing application upon which MIS was built was adequately secured while the\nupgrade was in the process of being implemented, leaving the system with numerous\nvulnerabilities, one of which was exploited during the breach. There was also confusion between\nthe OCIO and OCFO regarding management of MIS; yet, there was no urgency to solidify\nsystem responsibilities and develop a path forward until January 2013, when the OCIO\nacknowledged its duties as system owner. Instead, both groups assumed it was the other\'s\nresponsibility, leaving the system vulnerable and inappropriately managed.\n\nFurthermore, the DOEInfo database had become increasingly complex \xe2\x80\x93 adding more than 30\ninterconnections with other applications since it was developed in 1994. Department officials,\nhowever, had not maintained an awareness of the operating environment. After the recent\nbreach, the OCIO and OCFO were working together to identify and map out the full scope of the\nsystem, including connectivity to other systems. In comments on our preliminary report, OCFO\nofficials stated that they were aware of and had properly managed all system interconnections to\nDOEInfo. However, our review identified at least two interconnected systems that were no\nlonger being used, one of which had non-sensitive data taken from it during the breach. One\nsenior OCIO official even commented that he was unaware the system existed, let alone that it\n\n\n\n\nPage 6                                                                         Details of Finding\n\x0cwas the central repository for the Department\'s PII. Had the Department maintained a clear\nunderstanding of its operating environment, the need for enhanced security controls could have\nbeen identified and implemented, as appropriate.\n\n                                Authority over System Operations\n\nThe Federal Information Security Management Act of 2002 requires that the Chief Information\nOfficer have direct authority and responsibility to ensure that the Department\'s information\nsecurity policies, procedures and practices are adequate. However, because of certain\ndelegations of authority, the Chief Information Officer was required to coordinate those efforts\nwith the Senior Secretarial Officers. As a result, the authority of the Chief Information Officer\nhad become limited due to the emphasis placed on program and staff office requirements rather\nthan ensuring the security of the Department\'s information systems. Specifically, we noted\nduring our review that OCIO officials had not been fully empowered to take systems that posed\nsignificant risk to the Department off the Headquarters network. We confirmed that no such\nauthority existed despite the increased complexity of the Department\'s Headquarters network and\nreliability on the internet to accomplish business needs. Further, several individuals informed us\nthat past management practices had been to not disrupt the business and mission requirements of\nthe programs and staff offices that had systems hosted by the OCIO.\n\nWe believe the lack of a centralized authority over Federal systems at Headquarters to act in case\nof an emergent need adversely impacts the Department\'s ability to effectively minimize the risk\nof unauthorized access to and disclosure of sensitive information. We recognize the need to\nappropriately balance mission requirements against cyber security measures and to ensure\noperability for authorized access. However, we believe that an appropriate risk-based approach\nmust consider the benefits provided to a select few against the risks to all of such a significant\nloss of sensitive information. Rather, outdated and unsecured systems like MIS were allowed to\nremain on the network even though the OCIO knew that continued operation significantly\nincreased the risk that the Department\'s systems and information could be compromised.\nWithout a defined, centralized authority to act in an emergent situation and resolve disputes, the\nDepartment may not be able to minimize the effect of future cyber security breaches.\n\n                                Communication and Coordination\n\nThe Chief Information Officer and Senior Program officials are responsible for coordinating\nresponsibilities to provide information security for systems and data that support the assets under\ntheir control. However, a lack of communication and cooperation within and between programs\ncontributed to a culture wherein cyber security became secondary to ease of system access and\ncompletion of mission work. Several OCIO officials we met with during our review commented\nthat they were frequently directed by programs to not implement tools or controls on systems\nbecause it would affect performance or make it harder for employees to do their work. We were\nalso told that several of the Department\'s programs would not provide information to the Chief\nInformation Officer about systems and risks even though that individual is ultimately responsible\nfor risk acceptance authority over Federal systems at Headquarters. As such, the Department\ncould not attest to the level of risk its systems face on a daily basis. Notably, following the July\n2013 breach, the OCFO was one of only two programs/offices to provide the OCIO with\nrequested information pertaining to systems containing PII.\n\nPage 7                                                                          Details of Finding\n\x0cConversely, program officials stated that they frequently communicated information to the\nOCIO, as in the case of DOEInfo log anomalies and a drive space issue on the MIS server\n(Appendix 1), but would not receive a response as to whether there was a need for concern.\nSpecifically, we noted that the OCIO had alleviated the space issue by deleting what it\ndetermined to be a data dump file created by the Department\'s forensic tool. However, the OCIO\ndid not investigate whether that file was the reason for the loss of space prior to deleting it.\nRather, it identified the file as the largest on the server and the quickest way to remediate the\nimmediate issue and allow normal operations to resume. OCFO officials noted that the MIS\nserver generally had more than sufficient disk space. As such, we questioned why the loss of\nspace on a server that had never experienced a similar issue was not of higher concern. In short,\nwe have reason to believe that the loss of space may have been the result of the attacker\nattempting to exfiltrate information and, with the proper analysis, communications and\ncoordination, this could have been confirmed as suspicious activity, and the eventual loss of data\nmay have been prevented.\n\nFurthermore, a privacy official within the OCIO noted the privacy response for an unrelated\ncyber incident in January 2013, was confusing, frustrating and disorganized. Although a senior\nOCIO official stated at the time that a turnkey response plan would be established for future\nincidents, it was not developed and resulted in a similar confusing, frustrating and disorganized\nresponse to the recent breach. We believe strong leadership, a concerted effort, and willingness\nto move past the event to revamp the cyber security program and control environment could\nbegin to rebuild trust throughout the Department. Certainly, the culture within the Department\nthat minimized communication and coordination was not developed over a short period of time\nand, as such, will not be fixed overnight. However, the stovepipe approach to managing\ninformation systems and data has proven, as with the MIS breach, that continued failure to\ncommunicate and coordinate efforts could lead to significant negative mission impact and\nunauthorized loss of sensitive information.\n\nImpact and Path Forward\n\nWithout improvements to the Department\'s information technology and management control\nenvironment in areas such as the use of Social Security numbers, internet accessibility,\nvulnerability management and continuous monitoring, the Department will continue to place\nsystems containing sensitive information, including PII, at a higher than necessary risk of\nunauthorized disclosure. For example, we noted that the Department had identified additional\nhigh-risk systems containing PII that could be at risk of future compromise. These applications\ncontained PII and protected health information, the loss of which could affect public safety and\nhealth especially to the Department\'s workforce. Although precautions to secure the\ncompromised system had been taken subsequent to the breach, we believe immediate additional\nefforts are needed to strengthen the Department\'s cyber security posture, including reviewing the\nadditional high-risk systems and taking necessary action to minimize the likelihood of future\nevents.\n\nAbsent better protections, the Department could also continue to absorb the financial\nconsequences that are related to recovering from breaches of data security. Alarmingly, we\nnoted as many as 150,000 unique 9-digit records in the forensic data gathered after the event.\nTherefore, we believed the number of affected individuals significantly exceeded the 53,000\n\nPage 8                                                                         Details of Finding\n\x0creported by the Department prior to our review. Having determined the potential for nearly three\ntimes the number of affected individuals during our review, we communicated our concern that\nthe Department had not performed its due diligence in identifying all affected individuals and\nensuring they were notified in a timely manner. In response to our analysis and briefing to the\nDeputy Secretary in September 2013, the Department\'s Chief Information Officer and Acting\nChief Financial Officer stated that they believed many of the records included in the forensic\ndata represented false positives, but estimated the number of individuals impacted to be over\n104,000. In October 2013, the Department communicated the revised number of 104,179\naffected individuals to its employees. The OCIO noted that, as of October 2013, the Department\nestimated it would spend approximately $1.6 million for credit monitoring and labor costs\nassociated with establishing a call center through which affected individuals could obtain\nadditional information on the breach. We noted that additional costs may be necessary to\nsupport continued call center operations. In addition, the Department had incurred significant\ncosts associated with the recovery and lost productivity \xe2\x80\x93 funds that could have been better spent\nsupporting the Department\'s core missions. For instance, in October 2013, the Secretary\nauthorized the use of up to 4 hours of administrative leave to all affected Federal employees to\ntake action to correct issues associated with the event, an action we estimated could cost the\nDepartment an additional $2.1 million in lost productivity.\n\nWe also found that breached information exceeded just names, dates of birth and Social Security\nnumbers as initially reported by the Department. In particular, we noted through investigation or\ndiscussions with officials that select bank account numbers, places of birth, education, security\nquestions and answers, and disabilities were also included in the loss of information. According\nto officials we spoke with, several employees had received notification that their PII had been\ncompromised in both this and an earlier unrelated breach and noted that employee complaints\ndemonstrated a loss of confidence in the Department\'s management. As the Department works\nto improve its relationships with the affected individuals, it must make an earnest attempt to\nensure that notifications are made as quickly as possible.\n\nRECOMMENDATIONS\n\nGiven the unprecedented extent of this security event and loss of PII, prompt and effective\ncorrective actions are essential. In that respect, in addition to the actions recently initiated, we\nrecommend that the Department\'s Chief Information Officer and Acting Chief Financial Officer,\nin coordination with the Acting Under Secretary for Nuclear Security, Acting Under Secretary\nfor Science and Energy and Acting Under Secretary for Management and Performance:\n\n   1. Complete additional forensics reviews, as appropriate, to identify all types of data\n      compromised and notify affected employees, dependents and contractors of compromised\n      data in a timely manner in accordance with appropriate laws and regulations;\n\n   2. Identify all externally facing systems, determine if the continued external access is\n      necessary, and remove access if not deemed essential;\n\n   3. Implement an effective continuous monitoring program, to include the performance of\n      periodic in-depth authenticated reviews of each system, especially those that are\n      externally facing;\n\nPage 9                                                                        Recommendations\n\x0c   4. Reconfigure the DOEInfo database tables to remove unnecessary or outdated\n      information, remove Social Security numbers where possible, and protect those\n      remaining Social Security numbers through the use of encryption or other security\n      protocols as appropriate and in conjunction with Federal requirements;\n\n   5. Clarify the authorities and responsibilities of the OCFO and the OCIO as they pertain to\n      the ownership and management of the impacted systems;\n\n   6. Develop an effective risk management approach that properly identifies weaknesses and\n      costs of mitigation to allow senior management officials to effectively apply limited\n      resources to minimize future events;\n\n   7. Develop a process and central authority responsible for shutting down compromised or\n      significantly vulnerable systems, at least on a temporary basis, to ensure minimal\n      disclosure of national security, personally identifiable and other sensitive information;\n      and\n\n   8. Prepare a lessons learned report that can be shared across the complex.\n\nMANAGEMENT REACTION\n\nManagement concurred with each of the report\'s recommendations and indicated that corrective\nactions had been taken or were planned to address the issues identified during our review. For\ninstance, management commented that it had completed forensic reviews related to the breach\nand had notified nearly all of the individuals whose information had been compromised. In\naddition, management stated that it will remove Social Security numbers from DOEInfo, where\npossible, and protect the remaining numbers through the use of encryption or other security\nprotocols. Management also committed to enhancing its continuous monitoring process,\nincluding conducting vulnerability assessments of DOEInfo and its connected services and\napplications.\n\nAUDITOR COMMENTS\n\nManagement\'s comments and planned corrective actions were responsive to our recommendations.\nManagement\'s comments are included in Appendix 4.\n\n\n\n\nPage 10                                      Management Reaction and Auditor Comments\n\x0cAppendix 1\n\n  TIMELINE OF EVENTS SURROUNDING THE MANAGEMENT INFORMATION\n                     SYSTEM SECURITY BREACH\n\nBased on interviews with Department of Energy (Department) and contractor officials and\nreviews of supporting documentation, we established a timeline of events related to the recent\nbreach of the Management Information System (MIS) and DOE Employee Data Repository\n(DOEInfo) database. In particular, we found:\n\n   \xe2\x80\xa2   July 2, 2013: An application developer noticed an anomaly in the DOEInfo system logs\n       while performing duties for the Office of the Chief Financial Officer (OCFO) related to\n       investigating an unrelated programming error. The responsible group within the Office\n       of the Chief Information Officer\'s (OCIO) Energy Information Technology Services\n       (EITS) organization was notified so it could investigate further, because it has\n       responsibility for the servers on which MIS and DOEInfo reside. The determination was\n       made by an OCIO official that someone was repeatedly attempting to access the server\n       running MIS. The developer told us that he did not receive any feedback on this issue\n       from EITS.\n\n   \xe2\x80\xa2   July 24, 2013: The MIS server was breached according to forensic analysis that was\n       performed following the event.\n\n   \xe2\x80\xa2   July 25, 2013: The OCFO application developer noticed that the MIS server had run out\n       of drive space and was not responding to normal data requests. Officials from that office\n       stated that this was an anomaly as the system generally had an ample amount of memory\n       available. Again, EITS was notified. In this instance, no investigation was performed to\n       determine the reason for the loss of space. Rather, the largest unnecessary data file on the\n       server was deleted to allow the system to return to normal operation.\n\n   \xe2\x80\xa2   July 26, 2013: Data was successfully exfiltrated from the DOEInfo database through\n       MIS when hackers were able to elevate their privileges and run more than 600 queries\n       against the system in a role that provided unlimited access to the database and other files\n       on the MIS server.\n\n   \xe2\x80\xa2   August 8, 2013: The data breach was identified, and MIS was taken offline.\n\n   \xe2\x80\xa2   August 18, 2013: MIS was reintroduced to the Department\'s internal network after both\n       the virtual machine and web application were rebuilt using a clean operating system and\n       updated version of the application software.\n\n\n\n\nPage 11                           Timeline of Events Surrounding the MIS Security Breach\n\x0cAppendix 2\n\n                       OBJECTIVE, SCOPE AND METHODOLOGY\n\nOBJECTIVE\n\nTo determine the circumstances that led to the July 2013 cyber security breach at the Department\nof Energy (Department) Headquarters.\n\nSCOPE\n\nThe review was performed between September and December 2013, at the Department\'s\nHeadquarters facilities in Washington, DC, and Germantown, Maryland.\n\nMETHODOLOGY\n\nTo accomplish our objective, we:\n\n   \xe2\x80\xa2   Conducted over 35 interviews with Federal and contractor officials from the Offices of\n       the Chief Information Officer and the Chief Financial Officer as well as other program\n       and staff offices;\n\n   \xe2\x80\xa2   Reviewed Federal laws and regulations related to controls over information technology\n       security and privacy such as the Federal Information Security Management Act of 2002,\n       Office of Management and Budget Memoranda and National Institute of Standards and\n       Technology standards and guidance;\n\n   \xe2\x80\xa2   Evaluated supporting documentation related to cyber security planning, development and\n       management of the Department\'s Management Information System and the DOE\n       Employee Data Repository database;\n\n   \xe2\x80\xa2   Analyzed forensic data from the security breach to include data and database tables\n       exfiltrated;\n\n   \xe2\x80\xa2   Reviewed the relationships among the Office of the Chief Information Officer and\n       Headquarters programs and staff offices; and\n\n   \xe2\x80\xa2   Reviewed prior reports issued by the Office of Inspector General and the U.S.\n       Government Accountability Office.\n\nWe believe that the evidence obtained provided a reasonable basis for our findings and\nconclusions based on our objective. Because our review was limited, it would not have\nnecessarily disclosed all internal control deficiencies that may have existed at the time of our\nreview. We did not rely on computer-processed data to satisfy our objective. We held an exit\nconference with the Chief Information Officer on December 6, 2013.\n\n\n\n\nPage 12                                                    Objective, Scope and Methodology\n\x0cAppendix 3\n\n\n                                     PRIOR REPORTS\n\n  \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2012\n      (DOE/IG-0877, November 2012). The review identified weaknesses with access\n      controls, vulnerability management, integrity of web applications, planning for continuity\n      of operations and change control management. The weaknesses identified occurred, in\n      part, because Department of Energy (Department) elements had not ensured that cyber\n      security requirements were fully developed and implemented. In addition, programs and\n      sites had not always effectively monitored performance to ensure that appropriate\n      controls were in place. Without improvements to its unclassified cyber security program,\n      including implementation of effective continuous monitoring practices and adopting\n      processes to ensure security controls are in place and operating as intended, there is an\n      increased risk of compromise and/or loss, modification and non-availability of the\n      Department\'s systems and the information.\n\n  \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2011\n      (DOE/IG-0856, October 2011). The review noted that the number of weaknesses\n      identified represented a 60 percent increase over the previous year, and although some\n      action had been taken, there was still additional action needed to further strengthen the\n      Department\'s cyber security program. Specifically, the review revealed weaknesses in\n      the areas of access controls, vulnerability management, web application integrity,\n      contingency planning, change control management and cyber security training. The\n      weaknesses identified occurred, at least in part, because Department elements had not\n      ensured that cyber security requirements included all necessary elements and were\n      properly implemented. Program elements also did not always utilize effective\n      performance monitoring activities to ensure that appropriate security controls were in\n      place. Without improvements to its unclassified cyber security program, such as\n      consistent risk management practices and adopting processes to ensure security controls\n      are appropriately developed, implemented and monitored, there is an increased risk of\n      compromise and/or loss, modification, and non-availability of the Department\'s systems\n      and information.\n\n  \xe2\x80\xa2   Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2010\n      (DOE/IG-0843, October 2010). The review noted that although some action had been\n      taken, there was still additional action needed to further strengthen the Department\'s\n      cyber security program. Specifically, the review revealed weaknesses in the areas of\n      access controls, configuration and vulnerability management, web application integrity,\n      and security planning and testing. The weaknesses identified occurred, at least in part,\n      because Department elements had not always ensured that cyber security requirements\n      were effectively implemented, not had they adequately monitored cyber security\n      performance. Plans of action and milestones were also not always used effectively to\n      ensure that known security vulnerabilities were properly remediated. Without\n      improvements to its cyber security program, Department systems and the information\n      they contain are exposed to a higher than necessary level of risk.\n\n\n\nPage 13                                                                          Prior Reports\n\x0cAppendix 3 (continued)\n\n\n     \xe2\x80\xa2    Audit Report on Protection of the Department of Energy\'s Unclassified Sensitive\n          Electronic Information (DOE/IG-0818, August 2009). The review identified that\n          some sensitive information at various sites was not encrypted, which included both\n          stored and transmitted information, hardware was not properly secured, and programs\n          and sites were still working to complete required Privacy Impact Assessments. These\n          weaknesses were attributable in part due to Headquarters programs and field sites that\n          had not implemented existing policies and procedures requiring protection of\n          sensitive electronic information. In addition, a lack of performance monitoring\n          contributed to the inability to ensure that measures were in place to fully protect\n          sensitive information. While some steps have been taken to address these identified\n          weaknesses, additional effort is needed to help ensure that the privacy of individuals\n          is adequately protected and that sensitive operational data is not compromised.\n\n\n\n\nPage 14                                                                          Prior Reports\n\x0cAppendix 4\n\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 15                            Management Comments\n\x0cAppendix 4 (continued)\n\n                                         Attachment A\n\n                             MANAGEMENT RESPONSE\n                       Inspector General\'s Draft Special Report on\n                The Department of Energy\'s July 2013 Cyber Security Breach\n\nRecommendation 1: Complete additional forensics reviews, as appropriate, to identify all types\nof data compromised and notify affected employees, dependents and contractors of compromised\ndata in a timely manner in accordance with applicable laws and regulations.\n\nManagement Response: Concur\n\nThe Offices of the Chief Information Officer (OCIO) and the Chief Financial Officer (OCFO)\nhave completed additional forensic reviews. In accordance with the Office of Management and\nBudget\'s (OMB) Memorandum M-07-16 and DOE Order 206.1 for source, content, method and\ntarget for notifying affected personnel, notifications have been completed for over 99% of the\naffected individuals. The OCIO has continued to exhaust all means of outreach to affected\npersonnel, including but not limited to:\n\n   \xe2\x80\xa2   Posting alerts and notices on internally and externally facing Energy web sites\n   \xe2\x80\xa2   Generating log-in alerts\n   \xe2\x80\xa2   Communicating directly with all internal and external organizations having affected\n       personnel\n   \xe2\x80\xa2   Providing a dedicated call center with a toll free number\n   \xe2\x80\xa2   Leveraging commercial search services\n\nThe OCIO continues to work with other organizations, including government agencies and\ncommercial search firms, to locate accurate contact information in order to notify the remaining\nless than 1% of the affected personnel.\n\nRecommendation 2: Identify all externally facing systems, determine if the continued external\naccess is necessary, and remove access if not deemed essential.\n\nManagement Response: Concur\n\nThe OCIO has been working with the Office of Health, Safety and Security (HSS) to complete a\nfull assessment of all Internet facing systems on the DOE Trusted Internet Connection (TIC),\nwith the goal of a near real-time understanding of vulnerabilities present on TIC systems.\n\nThe OCIO has engaged the Department of Homeland Security (DHS) to conduct scans of the\nentire DOE Internet Protocol (IP) space for vulnerabilities. DHS has a major program designed\n\n\nPage 16                                                              Management Comments\n\x0cAppendix 4 (continued)\n\nto scan large network blocks for web application and other vulnerabilities. DHS has already\nscanned for specific vulnerabilities related to Content Management System vulnerabilities and\nprovided reports on DOE\'s sites with vulnerable systems. The OCIO is following up with\nProgram and Staff Offices (PSOs) regarding the results of DHS scans.\n\nRecommendation 3: Implement an effective continuous monitoring program, to include the\nperformance of periodic in-depth authenticated reviews of each system, especially those that are\nexternally-facing.\n\nManagement Response: Concur\n\nDOE is integrating continuous monitoring into its department-wide cybersecurity strategy. DOE\nis participating in DHS\'s Continuous Diagnostics and Mitigation (CDM) Program and is an\n"early engager" within the program, with plans to expand the program broadly across DOE in FY\n2014. DOE elements report progress toward continuous monitoring goals through the\nDepartment\'s Business Quarterly Report (BQR) process. Additionally, the CIO is drafting\nimplementation direction and guidance to achieve White House Cybersecurity Cross Agency\nPriority Goals. This direction and guidance will be reiviewed by the Cyber Council and issued by\nthe Deputy Secretary.\n\nThe OCIO and OCFO have also requested HSS to conduct initial and periodic authenticated scans of\nDOEInfo and its connected services and applications. Improvements to the real-time protection and\ncontinuous monitoring of DOEInfo and the underlying infrastructure are being implemented by the\nOCIO.\n\nRecommendation 4: Reconfigure the DOEInfo database tables to remove unnecessary or\noutdated information, remove social security numbers (SSNs) where possible, and protect those\nremaining SSNs through the use of encryption or other security protocols as appropriate and in\nconjunction with Federal requirements.\n\nManagement Response: Concur\n\nThe OCIO and OCFO are partnering to conduct a detailed review of all services and applications\nwith connections to DOEInfo. This review will include an evaluation and validation of the need\nfor the collection and retention of employee data. The review will include an assessment of the\nsecurity associated with the application or service connection to DOEInfo, as well as the security\nassociated with the connected service and/or application itself. The review will also include an\nassessment of record retention requirements and the separation of historical records from active\ndata.\n\nPhase 1 will be completed by the end of January 2014 and involves the removal of all\nunnecessary or outdated information and removal of SSNs, where possible. Phase 2 will be\ncompleted by the end of May 2014 and will protect remaining SSNs through the use of\n\n\n\nPage 17                                                              Management Comments\n\x0cAppendix 4 (continued)\n\nencryption or other security protocols as appropriate and in conjunction with Federal\nrequirements. OCFO has already made several improvements to DOEInfo since the event:\n\n   \xe2\x80\xa2   Changed all user and database connection passwords (August 20, 2013)\n   \xe2\x80\xa2   Encypted DOEInfo password table at rest (September 4, 2013)\n   \xe2\x80\xa2   Forced DOEInfo password change on-line (September 4, 2013)\n   \xe2\x80\xa2   Removed bad password strings from being stored. Storing only the date and time of the\n       failure (September 17, 2013)\n   \xe2\x80\xa2   Updated official leave forms to include digital signature capability and collect only the\n       last four digits of the employee\'s SSN. The only affected page is the leave donation\n       report used by DOE Payroll Office. Added a new ESS Admin role for leave donation so\n       only the Payroll Office will see the ESS leave donation functions (September 19, 2013)\n   \xe2\x80\xa2   Activated database auditing for all DOEInfo users coming in through the DOE Intranet\n       and via tools such as Microsoft Access (October 1, 2013)\n   \xe2\x80\xa2   Archived or deleted 152 tables that contained SSNs from the DOEInfo database\n       (October 25, 2013)\n\nRecommendation 5: Clarify the authorities and responsibilities of the OCFO and the OCIO as\nthey pertain to the ownership and management of the impacted systems.\n\nManagement Response: Concur\n\nAuthorities and responsibilities of the OCFO and the OCIO as they pertain to the ownership and\nmanagement of impacted systems will be formally documented by December 31, 2013.\n\nRecommendation 6: Develop an effective risk management approach that properly identifies\nweaknesses and costs of mitigation, to allow senior management officials to effectively apply\nlimited resources to minimize future events.\n\nManagement Response: Concur\n\nLine managers are responsible for the effective risk management of systems under their authority\nand purview. Within the OCIO, the CIO has rescinded the delegation of system authorization\nand implemented weekly reviews of system risks under the line management authority of the\nCIO. These weekly reviews include discussion of inherited or transferred risks associated with\nhosting, housing and interconnect agreements. The OCIO will work with PSOs and HSS to\ncoordinate insight and oversight of risk management. In addition, the DOE Cyber Council has\ntasked a working group within DOE to review management and technical best practices and to\ndevelop recommendations for propagating best practices across the DOE enterprise.\n\nRecommendation 7: Develop a process and central authority responsible for shutting down\ncompromised or significantly vulnerable systems, at least on a temporary basis, to ensure\nminimal disclosure of national security, personally identifiable and other sensitive information.\n\n\n\nPage 18                                                               Management Comments\n\x0cAppendix 4 (continued)\n\nManagement Response: Concur\n\nSystem and application owner/operators are ultimately responsible for the security of their\nsystems. The OCIO will review and update the Data Center and Systems Services Application\nHosting Environment Memorandum of Agreements and Interconnection System Agreements to\nensure roles and responsibilities are clearly documented by January 31, 2014. In addition, the\nauthorities and process for identifying significantly vulnerable systems, communicating their\nvulnerabilities and status, shutting down or severing connections to these systems, and\nreactivating these systems after appropriate actions are taken to reduce or eliminate the risk will\nbe formally documented by March 31, 2014.\n\nRecommendation 8: Prepare a lessons learned report that can be shared across the complex.\n\nManagement Response: Concur\n\nThe OCIO and OCFO will prepare a lessons learned report by December 31, 2013.\n\n\n\n\nPage 19                                                                Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0900\n\n                           CUSTOMER RESPONSE FORM\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope, or\n        procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2. What additional information related to findings and recommendations could have been\n        included in the report to assist management in implementing corrective actions?\n\n     3. What format, stylistic, or organizational changes might have made this report\'s overall\n        message more clear to the reader?\n\n     4. What additional actions could the Office of Inspector General have taken on the issues\n        discussed in this report that would have been helpful?\n\n     5. Please include your name and telephone number so that we may contact you should we\n        have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n\n                                           http://energy.gov/ig\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'